CrowdStrike Certified Falcon Hunter (CCFH) — Question 66

Your environment has several PowerShell scripts running that are Base64 encoded. Which of the following areas of Falcon will show you the decoded PowerShell commands?

Answer options

• A. PowerShell Encoded Commands report
• B. PowerShell Hunt report
• C. Event Search for event_simpleName=processrollup2 FileName=powershell.exe
• D. Command Line view of a Detection

Correct answer: D

Explanation

The correct answer is D because the Command Line view of a Detection provides detailed information about the commands that were executed, including any decoded PowerShell commands. Options A and B focus on specific reports that do not show decoded commands, and C is related to event search rather than the decoded output.